Mobile Threat Blog

Share

Mythbuster: App Stores Don’t Approve Unsafe Apps

Many IT security pros believe that app store approval means that apps are safe for enterprise use. That’s far from true. We bust this myth by showing why app stores can’t and won’t ensure mobile app safety at an enterprise level. Hint: the app economy they thrive on is at odds with your enterprise mobile security needs.

What’s the single largest threat to your enterprise data from mobile devices? Most correctly guess it’s the apps, but incorrectly think it’s specifically because of malware. The reality is that if users stick to the official app stores, and in corporate environments they often do, then malware risk is minimal. Apple and Google invest tremendous resources to eliminate malware from their app stores in order to protect their app revenue, which is massive. Occasionally bad apps – malware, fake popular apps, and imposter apps do sneak into app stores but they are usually quickly identified and eliminated.

Security professionals often look at this and say, “It’s app-store approved, so it’s safe.” But app store screening is not sufficient for enterprise mobile security needs.

So, IT Security professionals often look at this and say, “It’s app-store approved, so it’s safe.” But they’re wrong. App store screening is not sufficient for enterprise mobile security needs.

2 reasons app stores don’t provide enterprise-grade app screening

While Apple and Google have to protect all users from malware, there are two important reasons why they can’t and don’t try to achieve enterprise-grade mobile security.

Enterprise-grade security is too strict for most consumers

The first reason is that enterprise-grade security is too strict for most consumers who have grown comfortable oversharing their data, including credentials, photos, documents and location information, with 3rd party mobile apps and services. Some of these app behaviors are perfectly ok for the average consumer, but may not meet the compliance requirements for an executive in a financial institution, for example. If app stores were as strict as IT Security departments, then app stores would not offer the millions of apps they offer today, severely impacting revenue from the massive (and growing) app businesses that Apple and Google are currently enjoying. In 2016 alone, Apple’s App Store contributed over $28B to the company’s revenue.

Security compliance is different for each company

The second reason is that enterprises have very strict security, privacy, data usage, and, in some cases, compliance and regulation policies that are unique to each enterprise. As a result, there simply is no common, enterprise-grade security and privacy requirement that all public mobile apps need to meet. This makes it impossible for an app store to promise mobile app security which is good enough for your enterprise.

The app economy works against enterprise mobile security

In the enterprise, app data leakage is one of the main concerns, and for good reason. Employees spend a significant portion of their work day using mobile apps, often accessing sensitive data that would compromise company security if accessed by outside actors. Here are two key ways that limited app store vetting fails enterprise security needs.

Sharing: standard for consumers, risky for employees

On the consumer side, corporate security considerations don’t exist. Users have spoken with their wallets, having shown preference for free or inexpensive apps. Developers are forced to find new, creative ways to monetize app development and are incentivized to collect and share user data. In the app economy, if the user is not paying for the app with money, they are paying for the app with their data. In other words, user data (both personal and corporate) IS the product.

This is an oversharing world where apps are harvesting increasing amounts of user and device information and requesting increasing amounts of permissions from users. For their part, users, more often than not, grant access to the data and permissions reflexively, without truly understanding what all this means to them. In an enterprise environment, this automatic sharing creates a huge security risk.

Leakage: development pace breeds vulnerabilities

Another reality to consider is the risk of unintended data leakage through mobile apps. Most data leakage is not due to malicious intent, or employees over sharing, but rather to developer mistakes that create vulnerabilities within otherwise legitimate apps. Moving faster to deliver the app updates and features consumers demand can lead developers to take shortcuts, using insecure code or coding practices, that create these vulnerabilities.

When vulnerabilities occur in popular apps used for business, it can impact hundreds of millions of devices and create opportunities for massive data leaks. This was the case with the HospitalGown and Eavesdropper app vulnerabilities, recently discovered by Appthority. HospitalGown exposed 43TB of enterprise data. Eavesdropper exposed hundreds of millions of call recordings and text messages when apps collecting sensitive corporate data were downloaded, which happened on Android apps over 180M times. Each went undetected in the official app stores for years. And each of these impacted legitimate apps had no malicious intent but enabled massive data leaks.

Enterprise mobile app screening checklist

To truly ensure that the mobile apps in your environment can keep your enterprise data secure, you need to get a deep analysis of your mobile app inventory. This can only be achieved with technology that uses deep static, dynamic, behavioral, and back-end analysis of apps.

Here’s a checklist of what you need to know about the mobile apps in your environment:

What data does each app access? (Credentials? Location data? More data than necessary?)

How is the data sent? (Is it properly encrypted? Does the app use certificate pinning?)

Who is the cloud storage provider? (Authorized? Secure? Rogue/shadow IT?)

It’s only when armed with this kind of knowledge that you can understand your corporate and regulatory compliance, build whitelists of approved mobile apps, and build employee education programs to engage everyone in keeping your enterprise data safe and secure.

So, do you still think that the app store review process is good enough for your enterprise? Without fully analyzing your apps, how do you know you can trust them?